Introduction.
Many companies do not understand the correct information on GDPR due to the confusion of various information, and many of them have asked us, our head office based in Europe, to provide them with the latest information and measures on GDPR.
This time, we would like to share with you the latest information and measures for GDPR from the website of the European Commission's Directorate-General for Justice and Consumer Affairs.
For what it's worth, the information on the European Commission's official website is true.
The GDPR (General Data Protection Regulation) is a personal data protection regulation that came into force in the European Union in May 2018. The regulation applies to all organizations operating in the EU or handling personal data of EU citizens.
The purpose of the GDPR is to strengthen the protection of personal privacy and violations can result in hefty fines. Specifically, the higher of 4% of annual turnover or a maximum of approximately 3.2 billion yen applies.
Conclusion.
All individuals and corporations with websites, including e-commerce sites, web services, and client information held by branch offices and subsidiaries, are eligible.
Simply put, 'European personal data cannot be managed or stored outside Europe!
All data processing must be GDPR compliant, and violations may result in significant fines.
IS THERE A DIFFERENCE BETWEEN GDPR AND THE PRIVACY ACT?
There are several differences between Japan's Personal Information Protection Law and the GDPR.
In particular, the GDPR is unique in that it has a global scope and applies to all companies that handle the personal data of EU citizens. Japan's Personal Data Protection Law, on the other hand, focuses primarily on data protection within the country.
IS THERE A PROBLEM WITH CROSS-BORDER DATA TRANSFERS BETWEEN THE EU AND JAPAN RELATED TO GDPR?
IN ACCORDANCE WITH ARTICLE 28 OF THE PERSONAL INFORMATION PROTECTION LAW, JAPAN HAS DESIGNATED THE EU AS A FOREIGN COUNTRY (COUNTRY OR REGION) THAT HAS A SYSTEM FOR THE PROTECTION OF PERSONAL INFORMATION THAT IS RECOGNIZED AS BEING AT THE SAME LEVEL AS JAPAN'S IN PROTECTING THE RIGHTS AND INTERESTS OF INDIVIDUALS.
THE EU ALSO CERTIFIES THE SUFFICIENCY OF OUR COUNTRY IN ACCORDANCE WITH ARTICLE 45 OF THE GDPR (GENERAL DATA PROTECTION REGULATION).
THUS, A FRAMEWORK OF MUTUAL RECOGNITION HAS BEEN ESTABLISHED BETWEEN THE EU AND JAPAN TO FACILITATE THE SMOOTH TRANSFER OF PERSONAL DATA BETWEEN THE TWO COUNTRIES. THE DATA PROTECTION SYSTEMS OF THE TWO COUNTRIES ARE REGARDED AS EQUIVALENT, AND PERSONAL DATA CAN FREELY CIRCULATE BETWEEN THEM.
Reference: Personal Information Protection Commission
HOWEVER, WHAT IS THE CURRENT STATUS OF THE REAL GDPR?
Yahoo Japan
From April2022, Yahoo Japan will restrict access from Europe and the United Kingdom area.
The purpose of this is to avoid GDPR risks, and the reasons for this can be confirmed.
SPANISH SUBSIDIARY OF NTT DATA
2022 and fined approximately 10 million for violations of the GDPR.
As details of this breach, the absence of a person responsible for data protection and the ambiguity of the purpose of the processing were noted.
This case study demonstrates once again the importance of GDPR compliance.
DESIGNING A CROSS-BORDER E-COMMERCE SITE FROM GDPR
GDPR CLEARLY STATES WHO IS RESPONSIBLE, HOW TO MANAGE, ETC.
The following information must be clearly stated
- Information about your company/organization (contact details, DPO contact)
- Reason for using personal data (purpose)
- Categories of personal data involved
- Legal justification for data processing
- Period of time for which data will be stored
- recipient of data
- Details on when data is transferred outside the EU
- Rights individuals have (e.g., data access, deletion, correction)
Cookie Approval Function
Cross-border e-commerce sites must be updated to GDPR and global standard specifications.
Cookie approval is required to display a pop-up when a user enters your site and provide the option to "Accept", "Customize", or "Deny".
Inquiry Form
Before submitting, a check box must be placed for your consent to the handling of personal information.
Settlement Functions
Japanese payment systems may not support credit card payments issued overseas.
GDPR compliance must be confirmed when implementing external payment functions. Credit card information and related shipping address information are stored in the payment company's database, so it is important to set up a pop-up that displays and agrees to the pop -up in advance of transferring the information to an external site before payment is made.
THIS IS TRUE IN THE U.S. AS WELL, REGARDLESS OF GDPR ALONE.
Server Location
By locating cloud servers both in Japan and Europe, certain GDPR measures can be taken.
This approach provides flexibility in data management, but requires continuous review.
However, we expect that this risk measure will be limited to companies that are expanding in Europe with large investments, and companies that are developing well-known domestic web services for toC.
GDPR REQUIRES SOME COMPROMISE.
GDPR is a strict rule, but it can be difficult for all companies to fully comply.
Companies like GAFAM may pay a fine and still maintain their stance. For smaller companies, on the other hand, it is essential to take a minimum action in order not to lose the trust of their customers.
In particular, customer management systems and SAAS-based companies must continue to monitor and respond to the latest regulations.
By moving forward with GDPR compliance, we can ensure long-term trust building and competitive advantage.